In parallel to the growth in use of online channels for accessing a variety of services, and performing a variety of transactions, identity theft has reached epidemic levels, and online account takeover and transaction fraud is growing at an enormous rate. Fraudsters have new technologies at their disposal: for example “Trojan horses” and key loggers are installed in unsuspecting customers' computers, transmitting personal information back to the fraudster; and phishing attacks trick consumers into giving up personal and financial information (for example without limitation: social security number (“SSN”), account numbers, banking information, user names and passwords for various services, personal identification number (“PIN”), credit card numbers, which may be referred to as for example “user Credentials” or “Credentials”).
Recent scams indeed show a sophisticated, determined, innovative and well organized online crime wave. Fraudsters are more adaptive than ever, modifying their modus operandi and techniques quickly to exploit new vulnerabilities. While the fraudsters do not limit themselves to a specific sector, their main focus is on the banking and financial accounts sectors (other sectors prone to fraud are government services, ISPs, telecom companies and healthcare and many others).
One issue is authentication—how does a service or transaction provider indeed know whether a certain user accessing a service and performing actions at a certain site is indeed who he or she claims to be. It is clear that in today's environment using the combination of a login and password alone (which still are the most prevalent method of authentication) may not be satisfactory.
Many solutions have been proposed for the problem of authentication, however many of them encounter an imbalance between usability vs. security—they are either not secure enough, or, when security is enhanced to satisfactory levels, they are cumbersome and expensive to deploy and operate.
Various Transactions, require different types and levels of authentication from users who either wish to access or use them, or perform certain actions. Though the providers of such Transactions require different types and levels of authentication for different types of Transactions they do not require a different level of authentication for Transactions of a given type. Hence for a given type of Transaction, users are required to provide the same amount and level of authentication information, irrespectively of the risk level of the specific occurrence of authentication. For example, and without limitation, a user trying to access an online banking service, may always be required to provide the same information elements for the sake of authentication, even though the risk level associated with each transaction may be different.
Risk levels can vary among Transactions because of factors outside of the Transaction (these may be factors related to the users/potential users' profiles: for example, IP address from which user logs in, or timing of transaction), as well as factors related to the actual Transaction (these are factors mostly related to the nature of the Transaction, for example changing address, and transferring funds, might be treated as posing a greater risk of fraud, than just viewing an account balance).
While maintaining a high level of Transaction security may prevent or significantly reduce fraud, it is not costless, and might not be cost effective. Maintaining a high level of security requires demanding a greater and more complicated amount of information as part of Transaction authentication. This in turn entails a higher level of failed Transactions, due to failed authentication attempts. The reason to such failures is that the more information is required, the more likely are users to fail in their authentication attempts, usually due to lost or forgotten authentication data, which in turn is due to the complexity and/or amount of authentication data that is required.
Users, who do not succeed in authenticating themselves, may abandon the Transaction, or seek some form of customer service assistance in order to complete the authentication. Of course such customer service assistance is extremely costly.
Users who abandon a transaction may also abandon the service altogether. The opposite may also apply. Access to a service can be very easy and therefore not secure enough, both extremes, at the two ends of the binary lines are costly in terms of security or in market share. The main shortcoming of static authentication methods that exist today is this specific binary situation forcing organization to pick one of the two faulty spots—either low security coupled with a greater number of transactions, or heightened security with fewer transactions.
Reference numerals may be repeated among the figures to indicate corresponding or analogous elements.